top of page

Coinbase $100 million settlement - what went wrong

Updated: Oct 21, 2023

Coinbase, a well-known crypto exchange, will pay a $50 million penalty and will invest an additional $50 million in its compliance function over the next two years.


According to the announcement (see link in comments), Coinbase violated the New York Banking law and the New York State Department of Financial Services (DFS) regulations.

Coinbase, considering its size and complexity, had inadequate:

  • Compliance program: failed to build and maintain a functional, risk-based compliance program that could keep pace with its growth.

  • KYC/CDD procedures: treated customer onboarding as a simple check-the-box exercise.

  • Enhanced Due Diligence: lacked sufficient personnel, resources and tools to conduct EDD to its more than 14k high-risk clients.

  • Transaction monitoring systems (TMS): unable to keep pace with the growth in the volume of alerts generated by the TMS (more than 100k transactions remained unreviewed for months).

  • Suspicious activity reports (SAR): routinely failed to timely investigate and report suspicious activity. Some SARs were filed months after the activity was first known.

  • Sanctions compliance systems and PEP checks: failed to check its clientele against sanctions and PEP lists regularly after onboarding.

  • Geographical risk: Allowed their customers to use Virtual Private Networks (VPNs)) and The Onion Router (TOR) enabling them to hide their actual location.

  • Annual risk assessments: Failed to conduct annual firm-wide risk assessments

  • Cybersecurity risk: Did not properly report a cybersecurity incident to DFS as required by the law.

Lessons learned

The cryptocurrency sector is relatively newly regulated.

Crypto providers have less experience in anti-money laundering (AML) compliance than traditional financial institutions that build their compliance departments for decades (although often they also fail).

The money laundering and terrorist financing (ML/TF) risks can be mitigated if crypto companies, among others:

✔️ Employ people/advisors with sufficient experience and understanding of the AML laws.

✔️ Understand their ML/TF risks

✔️ Take appropriate measures commensurate to the risks identified.

✔️ Do not rely on a check-the-box approach but obtain a holistic understanding of their clients.

✔️ Conduct appropriate training for their employees.

✔️ Appoint an independent audit function to test their compliance systems.


bottom of page